Docker releases patches for critical authentication bypass flaw

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Eight critical vulnerabilities fixed in SolarWinds Access Rights Manager?

SolarWinds has addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software with the release of version 2024.3, which includes fixes for six remote code execution (RCE) flaws and three directory traversal vulnerabilities. The RCE flaws, identified by CVE-IDs such as CVE-2024-23469 and CVE-2024-28074, could allow attackers to execute arbitrary code on unpatched systems. Additionally, directory traversal vulnerabilities (CVE-2024-23475 and CVE-2024-23472) enable unauthorized file deletion and access to sensitive information.

\A high-severity authentication bypass vulnerability (CVE-2024-23465) could grant domain admin access within an Active Directory environment. To mitigate these risks, SolarWinds recommends upgrading to ARM version 2024.3 from version 2023.2.4, and advises regular security policy reviews, system monitoring, and limiting internet-exposed services to enhance security.

2. Critical 5-year-old Docker Engine flaw enables authentication bypass

Docker has released updates to address a critical vulnerability (CVE-2024-41110) in Docker Engine, present in versions up to v27.1.0, which allows attackers to bypass authorization plugins by sending a specially crafted API request with a Content-Length of 0. This flaw, discovered in April 2024 but lingering from a previous fix that was not fully implemented, poses risks of unauthorized actions and privilege escalation.

The issue occurs because the Docker daemon forwards such requests to the AuthZ plugin without the body, preventing proper validation and potentially approving unauthorized actions, including privilege escalation. Docker Desktop versions up to v4.32.0 are also affected, but the impact is less severe. Users are advised to upgrade to Docker Engine versions above v23.0.14, v26.1.4, or v27.1.0, or Docker Desktop v4.33.0. For those unable to upgrade, disabling AuthZ plugins and restricting Docker API access are recommended.

3. Critical security vulnerabilities patched in Cisco SEG and Cisco SSM On-Prem

Cisco has patched critical vulnerabilities in its Security Email Gateway (SEG) and Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem). The SEG vulnerability (CVE-2024-20401) is an arbitrary file write issue caused by improper email attachment handling, allowing attackers to add root users, modify configurations, execute arbitrary code, and cause a denial of service. It affects systems running vulnerable versions of Cisco AsyncOS with specific mail policy settings.

The SSM On-Prem vulnerability (CVE-2024-20419) is due to a flaw in the password change process, allowing attackers to set new user passwords without prior knowledge. This affects Cisco SSM On-Prem versions 8-202206 and earlier, and Cisco SSM Satellite installations earlier than Release 7.0. Cisco recommends updating to Content Scanner Tools version 23.3.0.4823 or later for SEG and to Cisco SSM On-Prem Release 8-202212 or later for SSM to mitigate these vulnerabilities, as there are no other workarounds.

4. Infamous FIN7 group distributes EDR-killing tool to other cybercriminals

The FIN7 hacking group, known for its sophisticated cyberattacks and involvement in financial fraud and ransomware operations like DarkSide and BlackMatter, is now selling its custom tool “AvNeutralizer” to disable enterprise endpoint protection software. This tool, also known as AuKill, has been used in attacks by ransomware groups such as BlackBasta, BlackCat, and LockBit, and is being sold on Russian-speaking hacking forums for $4,000 to $15,000.

AvNeutralizer works by using legitimate system drivers like the SysInternals Process Explorer and the Windows ProcLaunchMon.sys driver to terminate antivirus processes and create a denial-of-service condition. To mitigate these threats, it is recommended to keep security software updated, employ robust intrusion detection systems, implement strict access controls, monitor for unusual use of system drivers, and harden endpoint defenses against known techniques used by FIN7.?

5. Play ransomware’s new Linux variant attacks VMware ESXi Virtual Machines

Play ransomware has introduced a new Linux variant targeting VMware ESXi environments, signaling a strategic shift to exploit critical business operations by disrupting virtual machines and leveraging double extortion tactics. Known as Balloonfly or PlayCrypt, this variant powers off running VMs, encrypts files, and appends the .PLAY extension, leaving a ransom note in the root directory.

Cybersecurity researchers noted its use of tools like PsExec, NetScan, and the Coroxy backdoor, alongside URL-shortening services and registered domain generation algorithms for evasion. To mitigate risks, it is recommended to implement multi-factor authentication (MFA), segment networks, educate employees on phishing, employ intrusion detection systems, and secure administrative interfaces.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.